CVE-2024-56158
- Source
- https://cve.org/CVERecord?id=CVE-2024-56158
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56158.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-56158
- Aliases
- Published
- 2025-06-12T14:56:56.939Z
- Modified
- 2026-04-10T05:18:40.068084Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- XWiki allows SQL injection in query endpoint of REST API with Oracle
- Details
-
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56158.json", "cwe_ids": [ "CWE-89" ], "cna_assigner": "GitHub_M" }- References
-
- https://jira.xwiki.org/browse/XWIKI-22734
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56158.json
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-prwh-7838-xf82
- https://nvd.nist.gov/vuln/detail/CVE-2024-56158
- https://github.com/xwiki/xwiki-platform/commit/ce855aae38eefd8ee3fc86353d51ac03d6cb7f8d